SCADA Apps Riddled With Major Flaws

Mobile applications used in industrial control system (ICS) environments are shot through with vulnerabilities, exposing mission critical processes and infrastructure to attack, according to new research.

IOActive teamed up with IoT specialist Embedi to study 34 mobile applications used in Supervisory Control and Data Acquisition (SCADA) systems — selected at random from the Google Play store.

The number of these apps is growing all the time, so the researchers wanted to see if they’re unduly exposing organizations to the risk of external attack or accidental insider threats.

They found a staggering 147 vulnerabilities altogether — an increase of 1.6 per app from 2015, when the team found 50 issues in 20 such apps.

IOActive explained that the problem comes down to developers rushing apps to market without incorporating security by design.

“There’s not much an end-user can do to fix bugs in a mobile application themselves. The fixes will need to be done by the vendors,” IOActive principal security consultant, Jason Larsen, told Infosecurity.

“A good start would be transparency. If an application is built using secure programming practices and has gone through a review, documenting that would go a long way.”

In fact, attackers don’t even need physical access to the victim’s smartphone. If a user downloads a fake malicious app by mistake then that malware could attack the vulnerable application, the firm claimed.

IOActive recommended SCADA app developers to think carefully about security, noting the OWASP Top 10, OWASP Mobile Top 10 2016, and the 24 Deadly Sins of Software Security could help guide them through best practices.

“This is simply a continuation of the current Industrial Internet of Things (IIoT) trend,” warned IOActive security consultant, Alexander Bolshev. “Over the past two years, the number of applications on Google Play Store has doubled, and some of these applications have been installed 1000-10,000 times.”